anonymity and secure messaging - courses.cs.washington.edu · tor circuit setup (3) 12/9/16 cse 484...

CSE484/CSEM584:ComputerSecurityandPrivacy

AnonymityandSecureMessaging

Fall2016

Ada(Adam)Lernerlerner@cs.washington.edu

ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...

Tor

•  Second-generationonionroutingnetwork–  https://www.torproject.org/– Nowalargeopensourceprojectwithanon-profitorganizationbehindit

–  Specificallydesignedforlow-latencyanonymousInternetcommunications

•  RunningsinceOctober2003•  “Easy-to-use”clientproxy–  Freelyavailable,canuseitforanonymousbrowsing

12/9/16 CSE484/CSEM584-Fall2016 2

TorBrowserBundle

•  Asingle,downloadablebrowserappwhichdoestherightthing.

12/9/16 CSE484/CSEM584-Fall2016 3

TorCircuitSetup(1)

12/9/16 CSE484/CSEM584-Fall2016 4

•  ClientproxyestablishesasymmetricsessionkeyandcircuitwithOnionRouter#1

TorCircuitSetup(2)

12/9/16 CSE484/CSEM584-Fall2016 5

•  ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#2–  TunnelthroughOnionRouter#1

TorCircuitSetup(3)

12/9/16 CSE484/CSEM584-Fall2016 6

•  ClientproxyextendsthecircuitbyestablishingasymmetricsessionkeywithOnionRouter#3–  TunnelthroughOnionRouters#1and#2

UsingaTorCircuit

12/9/16 CSE484/CSEM584-Fall2016 7

•  ClientapplicationsconnectandcommunicateovertheestablishedTorcircuit.

TorManagementIssues

•  Manyapplicationscanshareonecircuit– MultipleTCPstreamsoveroneanonymousconnection

•  Torrouterdoesn’tneedrootprivileges–  Encouragespeopletosetuptheirownrouters– Moreparticipants=betteranonymityforeveryone

•  Directoryservers– Maintainlistsofactiveonionrouters,theirlocations,

currentpublickeys,etc.–  Controlhownewroutersjointhenetwork

•  “Sybilattack”:attackercreatesalargenumberofrouters

–  Directoryservers’keysshipwithTorcode

12/9/16 CSE484/CSEM584-Fall2016 8

LocationHiddenService

•  Goal:deployaserverontheInternetthatanyonecanconnecttowithoutknowingwhereitisorwhorunsit

•  Accessiblefromanywhere•  Resistanttocensorship•  Cansurviveafull-blownDoSattack•  Resistanttophysicalattack–  Can’tfindthephysicalserver!

12/9/16 CSE484/CSEM584-Fall2016 9

CreatingaLocationHiddenServer

12/9/16 CSE484/CSEM584-Fall2016 10

ServercreatescircuitsTo“introductionpoints”

Servergivesintropoints’descriptorsandaddressestoservicelookupdirectory

Clientobtainsservicedescriptorandintropointaddressfromdirectory

UsingaLocationHiddenServer

12/9/16 CSE484/CSEM584-Fall2016 11

Clientcreatesacircuittoa“rendezvouspoint”

Clientsendsaddressoftherendezvouspointandanyauthorization,ifneeded,toserverthroughintropoint

Ifserverchoosestotalktoclient,connecttorendezvouspoint

Rendezvouspointsplicesthecircuitsfromclient&server

AttacksonAnonymity

•  Passivetrafficanalysis–  Inferfromnetworktrafficwhoistalkingtowhom–  Tohideyourtraffic,mustcarryotherpeople’straffic!

•  Activetrafficanalysis–  Injectpacketsorputatimingsignatureonpacketflow

•  Compromiseofnetworknodes–  Attackermaycompromisesomerouters–  Itisnotobviouswhichnodeshavebeencompromised

•  Attackermaybepassivelyloggingtraffic–  Betternottotrustanyindividualrouter

•  Assumethatsomefractionofroutersisgood,don’tknowwhich

12/9/16 CSE484/CSEM584-Fall2016 12

DeployedAnonymitySystems

•  Tor(http://tor.eff.org)– Overlaycircuit-basedanonymitynetwork– Bestforlow-latencyapplicationssuchasanonymousWebbrowsing

•  Mixminion(http://www.mixminion.net)– Networkofmixes– Bestforhigh-latencyapplicationssuchasanonymousemail

•  Not:YikYakJ

12/9/16 CSE484/CSEM584-Fall2016 13

SomeCaution

•  Torisn’tcompletelyeffectivebyitself– Trackingcookies,fingerprinting,etc.– Exitnodescanseeeverything!

12/9/16 CSE484/CSEM584-Fall2016 14

IdentifyingWebPages:TrafficAnalysis

Herrmannetal.“WebsiteFingerprinting:AttackingPopularPrivacyEnhancingTechnologieswiththeMultinomialNaïve-BayesClassifier”CCSW2009

12/9/16 CSE484/CSEM584-Fall2016 15

OTRANDSECUREMESSAGING

12/9/16 CSE484/CSEM584-Fall2016 16

OTR–“OffTheRecord”

•  Protocolforend-to-endencryptedinstantmessaging

•  End-to-end:Onlytheendpointscanreadmessages.– PGP,iMessage,WhatsApp,andavarietyofotherservicesprovidesomeformofend-to-endencryptiontoday.

(Borisov,Goldberg,Brewer2014)

12/9/16 CSE484/CSEM584-Fall2016 17

OTR–“OffTheRecord”

•  End-to-endencryption•  Authentication•  Deniability,afterthefact•  PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 18

OTR–“OffTheRecord”

•  End-to-endencryption•  Authentication•  Deniability/Repudability,afterthefact•  PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 19

OTR:Deniability/Repudability

12/9/16 CSE484/CSEM584-Fall2016 20

Eve

Alice Bob

“Somethingincriminating”

OTR:Deniability/Repudability

•  Duringaconversationsession,messagesareauthenticatedandunmodified.

•  AuthenticationhappensusingaMACderivedfromasharedsecret.

12/9/16 CSE484/CSEM584-Fall2016 21

OTR:Deniability/Repudability

•  Duringaconversationsession,messagesareauthenticatedandunmodified.

•  AuthenticationhappensusingaMACderivedfromasharedsecret.

•  Q1

12/9/16 CSE484/CSEM584-Fall2016 22

OTR:Deniability/Repudability

•  Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!

12/9/16 CSE484/CSEM584-Fall2016 23

OTR:Deniability/Repudability

•  Can’tprovetheotherpersonsentthemessage,becauseyoualsocouldhavecomputedtheMAC!

•  OTRtakesthisonestepfarther:Afteramessagingsessionisover,AliceandBobsendtheMACkeypubliclyoverthewire!

12/9/16 CSE484/CSEM584-Fall2016 24

OTR:Deniability/Repudability

•  EvenowknowstheMACkey,sotechnicallyspeaking,shealsohastheabilitytoforgemessagesfromAliceorBob.

12/9/16 CSE484/CSEM584-Fall2016 25

PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 26

Eve

Alice Bob

PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 27

Eve

Alice Bob

Publicinfo,e.g.C1C2C3…Cn

SecretsA SecretsB

PerfectForwardSecrecy

12/9/16 CSE484/CSEM584-Fall2016 28

Eve

Alice Bob

Publicinfo,e.g.C1C2C3…Cn

SecretsA SecretsBIfEvecompromisesAliceorBob’scomputersatalaterdate,wewouldliketopreventherfrombeingabletolearnwhatM1,M2,M3,etc.correspondtoC1,C2,C3,etc.

OTR:Ratcheting

•  Idea:Useanewkeyforeverysession/message/timeperiod.

12/9/16 CSE484/CSEM584-Fall2016 29

Signal

12/9/16 CSE484/CSEM584-Fall2016 30

•  End-to-endencryptedchat/IMbasedonOTR

•  Providesvariationsonratcheting,deniability,etc.

•  Widelyused,publiccode,audited.